About

We setup our previous dedicated server after leaving the Laughing Squid Cloud service. It worked ok for about 6months, but then our amateur setup started falling over. Once or twice a week at first, and then every day.

Something had to be done, and by someone more professional than us. Arhi recommended Alex at CloudWebOps.com. Alex did our complete server setup, migration, and hardening at a very reasonable price.

Here are the main features of the setup:

Main dedicated server running Linux, Apache, MySQL, and PHP, with a nginx reverse proxy server running in front of everything

Secondary Amazon leased server with Munin server monitoring

Multiple daily backups to Jungle Disk encrypted backup service

Daily SQL database backups to third backup server

If you need a Linux server setup and hardening, you should check out Alex. He went above and beyond, and helped us every step of the way. He even documented the server install on this wiki page - you can try to DIY, but we think the professional setup Alex did was worth it.

Overview

NGINX reverse proxy in front of Apache-HTOP screenshot

When the traffic is too high, Apache generate many high CPU processes and consume too much memory.This situation cause server to crash.
Apache is a reliable HTTP server that still holds more than 66% of the web server market, according to
W3Techs,
but it was not designed with performance or scalability in mind.

You can speed up your current HTTP server by installing a reverse proxy server in front of it. A reverse proxy fetches resources from one or more servers and returns them to the client as if they originated from the proxy server itself.

We will use web server Nginx, Apache serve all dynamic content and Nginx handle all static files without consuming lots of system resources, combining the benefits of both servers.

MySQL

# apt-get install mysql-server

During the installation, you will be prompted for a password. Choose something secure and record it for future reference. At this point, MySQL should be ready to configure and run. While you shouldn't need to change the configuration file, note that it is located at /etc/mysql/my.cnf for future reference.

ProFTPD

# apt-get install proftpd

select: standalone mode

configuration:

# nano /etc/proftpd/proftpd.conf

check configuration:

# proftpd -t

After modifying any part of your ProFTPD configuration, you will need to restart the ProFTPD service:

# /etc/init.d/proftpd restart

Postfix

# apt-get install postfix

select: internet site

configuration:

# nano /etc/postfix/main.cf
# nano /etc/postfix/master.cf

After modifying any part of your Postfix configuration, you will need to restart service:

Configuration

Stop the Nginx server if it was started automatically by the package manager and create a new nginx.conf configuration file – installed in /etc/nginx/ by default – by pasting the following and adjusting the paths to those of your installation:

Nginx should run as the same user Apache runs, to avoid file permission problems.

Besides the proxy setup this configuration file includes some generic performance tuning, such as use epoll as the event model method, which works effectively on Linux 2.6+ kernels. This works in tandem with the next line, accept_mutex off, to improve performance a bit more. Enabling sendfile allows nginx to use the kernel’s sendfile support to send files to the client regardless of their contents. This can help with large static files, such as images, that have no need for a multiple request/confirmation system to be served. Enabling gzip compression for static files can make a big performance difference. The lines starting with gzip enable compression for common web files, such as .css and .js files, on supported browsers.

Apache reverse proxy forward module(mod_rpaf)

If you check the Apache access log files you should see that all incoming requests are coming from 127.0.0.1. To fix this you need to install mod_rpaf, the reverse proxy add forward module for Apache.

Apache configuration (behind Nginx)

Nginx now acts as the front-end web server – waiting for requests on port 80 – you need to configure Apache to listen on a different port (8080 in this case) and preferably only on localhost, open the file /etc/apache2/ports.conf and change the line
Listen 80 to Listen 127.0.0.1:8080,
if you use name-based virtual hosts you should have a line NameVirtualHost *:80 in the same file. Change that to NameVirtualHost *:8080.

If you have configured Keep-Alive support in Apache you should disable it since it is already enabled in Nginx. Change KeepAlive On to KeepAlive Off in /etc/apache2/apache2.conf . You can also disable the mod_deflate module since Nginx already provides gzip compression.

nginx referer denial

In /etc/nginx/nginx.conf there is a list of words to deny in URLs. If URL contains these words, all referred links will not load. This causes missing images and stylesheets, and every link from that page to another on the same site will come up blank.